Plattform
wordpress
Komponente
instant-chat-wp
Behoben in
1.0.6
CVE-2024-44018 describes a Path Traversal vulnerability within the Instant Chat Floating Button for WordPress Websites plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 1.0.5, and a patch is available in version 1.0.6.
The core impact of this vulnerability lies in the ability to achieve Local File Inclusion (LFI). An attacker could leverage this to include sensitive configuration files, source code, or even malicious PHP scripts. Successful exploitation could result in complete server compromise, data exfiltration, and defacement of the WordPress website. The attacker could potentially gain access to the WordPress database, user credentials, and other sensitive information stored on the server. Given the widespread use of WordPress, this vulnerability presents a significant risk to a large number of websites.
CVE-2024-44018 was publicly disclosed on 2024-10-05. While no public exploits have been widely reported, the Path Traversal nature of the vulnerability makes it likely to be targeted. The EPSS score is likely to be medium, given the ease of exploitation and the potential impact. It's crucial to apply the patch promptly to prevent potential attacks.
WordPress websites utilizing the Instant Chat Floating Button plugin, particularly those running older versions (≤1.0.5), are at risk. Shared hosting environments are especially vulnerable as they often have limited access controls and a higher density of potential targets.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/instant-chat-floating-button/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/instant-chat-floating-button/?file=../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.30% (53% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Instant Chat Floating Button for WordPress Websites plugin to version 1.0.6 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file access permissions within the WordPress environment to minimize the potential impact of a successful exploit. Implement a Web Application Firewall (WAF) with rules to block attempts to access files outside of the designated directory. Monitor WordPress logs and file system activity for any suspicious PHP file modifications or attempts to access sensitive files.
Actualice el plugin Instant Chat WP a la última versión disponible. Si no hay una versión más reciente, considere deshabilitar o eliminar el plugin hasta que se publique una actualización que corrija la vulnerabilidad. Consulte la página del plugin en WordPress.org para obtener más información y actualizaciones.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-44018 is a Path Traversal vulnerability affecting the Instant Chat Floating Button plugin for WordPress, allowing attackers to potentially include arbitrary files.
You are affected if you are using Instant Chat Floating Button for WordPress Websites version 1.0.5 or earlier.
Upgrade the Instant Chat Floating Button plugin to version 1.0.6 or later. Consider temporary workarounds like restricting file access permissions and implementing WAF rules.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Check the Istmo Plugins website and WordPress plugin repository for updates and advisories related to CVE-2024-44018.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.